Facebook braces itself for data protection audit

An audit of Facebook's premises in Ireland will take place next week, an Austrian law student who has made complaints to the Irish data protection authorities has claimed.As ZDNet UK reported a month ago, complaints by Max Schrems and his 'Europe v Facebook' campaign group have spurred Ireland's Data Protection Commissioner (DPC) to announce an audit of Facebook's offices.

An audit of Facebook's premises in Ireland will take place next week, an Austrian law student who has made complaints to the Irish data protection authorities has claimed.

As ZDNet UK reported a month ago, complaints by Max Schrems and his 'Europe v Facebook' campaign group have spurred Ireland's Data Protection Commissioner (DPC) to announce an audit of Facebook's offices. The Vienna-based group has targeted Facebook's Irish operations because all European customers have a contract with that office.

Schrems and some fellow students had made a written request to Facebook to have the social networking firm send them all the data it held on them. Each received a CD with on average about a thousand pages of information, including a vast amount that the users thought they had deleted. The CDs also included a detailed history of every rejected friend request, every event invitation and every Facebook chat.

Although Facebook does have a simple online facility for users to download their data, this only includes data such as photos and status updates that the user themself has uploaded. As for information linked to the user but uploaded by their contacts, Facebook will only release this data upon receiving a written request.

Europe v Facebook, which accuses Facebook of not complying with European data protection legislation, said on Wednesday that "according to different sources the audit at the Irish headquarters of Facebook will be done this coming week", and that the audit would last four to five days.

"We hope that this will bring more evidence for the complaints we filed before," the group said. "Audits get announced, so Facebook had at least a month to 'prepare' for it."

The DPC's office would not confirm the timing given by Europe v Facebook, but did tell ZDNet UK on Friday that the audit would certainly take place before Christmas, and may last more than a week.

If the DPC does find Facebook has been breaching Irish data protection law, it can then recommend changes to the way the company retains and processes personal data. If Facebook refuses to comply, the DPC can then issue a legal notice requiring that the changes be made.

Facebook would then be able to appeal against this notice to the Irish courts, at which point the courts take over the case. If the company fails to appeal and still refuses to make the changes, the DPC would then have the power to ask the courts to fine Facebook up to €3,000 (£2,600). However, the courts would also have the power to fine the company up to €100,000 if they are particularly displeased.